fix: restrict webhook endpoint to POST only (closes #20)

Add method check at the top of HandleWebhook, returning 405 Method Not Allowed with an Allow: POST header for any non-POST request. This prevents GET, PUT, DELETE, etc. from being accepted at entrypoint URLs.
2026-03-01 16:35:38 -08:00 · 2026-03-01 16:35:38 -08:00 · e2ac30287b
commit e2ac30287b
parent 49ab1a6147
2 changed files with 10 additions and 1 deletions
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@ -15,8 +15,15 @@ const (
 )

 // HandleWebhook handles incoming webhook requests at entrypoint URLs.
+// Only POST requests are accepted; all other methods return 405 Method Not Allowed.
 func (h *Handlers) HandleWebhook() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			w.Header().Set("Allow", "POST")
+			http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
 		entrypointUUID := chi.URLParam(r, "uuid")
 		if entrypointUUID == "" {
 			http.NotFound(w, r)
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@ -109,6 +109,8 @@ func (s *Server) SetupRoutes() {
 		r.Post("/targets", s.h.HandleTargetCreate())         // Add target
 	})

-	// Entrypoint endpoint - accepts incoming webhook POST requests
+	// Entrypoint endpoint — accepts incoming webhook POST requests only.
+	// Using HandleFunc so the handler itself can return 405 for non-POST
+	// methods (chi's Method routing returns 405 without Allow header).
 	s.router.HandleFunc("/webhook/{uuid}", s.h.HandleWebhook())
 }